The document discusses identity proofing using OpenID Connect. It provides examples of use cases that require identity verification like opening a bank account or accessing health data. It proposes representing verified identity claims in a composite JSON Web Token claim that includes metadata about the verification process and the verified claims. An example token is given that verifies a user's name, date of birth, place of birth and nationality according to a specified assurance level by referencing an existing bank verification. The document also describes how to request specific verified claims from the identity provider.

1. Identity Proofing with
OpenID Connect
Torsten Lodderstedt, yes.com

2. Use Cases
● Opening a banking account (Anti-Money Laundering)
● Applying for a loan (Anti-Money Laundering)
● Signing up for a mobile subscription (Anti-Terrorism)
● Identification for access to health data
● Qualified electronic signature (eIDAS/electronic IDentification, Authentication
and trust Services)

3. Representation
● needed for
○ User Claim Values
○ Confidence Level (per claim or set of claims)
○ Data about the verification process and the respective identity sources (e.g. id document
number)
● supports mixture of verified and unverified claims, e.g. self declared address
and verified name
● can be used with: User Info, ID Token, Access Token Introspection
-> And there needs to be a way to request specific claims to be verified (selective
disclosure)

4. Example
● The RP wants to identity user according to eIDAS assurance level substantial,
wich requires the following data
○ Name, Birth Date and Place of Birth, nationality
● User (Max) utilizes KYC data associated with his Online-Banking Account
● Max Meier’s identity was verified using his ID Card by the Bank (Sparkasse
Musterstadt) according to the German Anti-Money Laundering Law.
● The Bank delegated that verification process to an agency (Deutsche Post).
● RP needs to get an attestation about the whole process for its audit trail.

5. Approach
● Dedicated composite verified person data claim built from
○ Sub element containing all metadata regarding the verification
○ Another sub element containing the actual user claims
● Additional user claims (e.g. for nationality)

6. {
"iss":"https://as.sparkasse-musterstadt.de",
"sub":"123456789087632345678",
"aud":"example_rp",
"acr":"https://www.yes.com/aal/online_banking_sca"
"https://www.yes.com/claims/verified_person_data":{
"verification":{
"organization":"Sparkasse Musterstadt",
"legal_context":{
"country":"DE",
"regulation":"Geldwäschegesetz"
}
"date":"2013-02-21",
"method":"identity_document",
"identity_document":{
"country":"DE",
"type":"ID Card",
"issuer":"Stadt Augsburg",
"number":"53554554",
"date_of_expiry":"2022-04-22",
"method":"Physical In-Person Proofing (shop)",
"organization":"Deutsche Post AG",
}
},

7. "claims":{
"given_name":"Max",
"family_name":"Meier",
"birthdate":"1956-01-28",
"https://www.yes.com/claims/place_of_birth":{
"country":"DE",
"city":"Musterstadt"
},
"https://www.yes.com/claims/nationality":"DE"
},
}
"address":{
"locality":"Maxstadt",
"postal_code":"12344",
"country":"DE",
"street":"An der Sanddüne 22"
},
}

8. Requesting Verified Person Data
{
"userinfo":{
"https://www.yes.com/claims/verified_person_data":{
"claims":{
"given_name":null,
"family_name":null,
"birthdate":null,
"https://www.yes.com/claims/place_of_birth":null,
"https://www.yes.com/claims/nationality":null,
"address":null
}
}
}
}